Suggests review of fines, information sharing and data collection.

The federal government is considering breaking some urgent reforms out of the Privacy Act review in the wake of the Optus data breach, attorney general Mark Dreyfus said yesterday.

Speaking to the National Press Club in Canberra, Dreyfus foreshadowed possible increases in fines in the Act, formalising information-sharing processes, and changes to data storage and retention requirements.

Dreyfus said while the previous government initiated a review, it was never progressed and as a result, “we have a very outdated piece of legislation in the Privacy Act”.

He committed to having the review completed this year, but said the Optus data breach highlighted the need for some reforms to happen sooner.

“We’re now looking at bringing forward from that Privacy Act review process some urgent reforms that we can make quickly to the Privacy Act, which won’t be … the full set of reforms that we want to make. But there’s some things that I think we can do urgently”, he said.

The first is that the government is backing Information and Privacy Commissioner Angelene Falk’s calls that fines for breaches of the Act should be increased.

Last month, Falk said fines needed to go beyond “the cost of doing business” for them to be genuine deterrents that “incentivised compliance with privacy law”.

A second reform would be to formalise the temporary information sharing arrangements put in place as part of the government’s response to the breach.

Those regulations allowed Optus to share limited information about compromised data, like Medicare and driver’s licence numbers, with financial institutions.

Dreyfus said creating the rules by regulation was a cumbersome process.

Since an attacker who steals 100 points’ worth of identity data can commit not only identity theft, but also a range of financial frauds, Dreyfus said, “We would like to think it was possible to devise a way to get [information sharing] done quicker”.

Third, Dreyfus said, government identification requirements – such as the ID needed to buy telecommunications services – may be in need of reform.

“The third thing that we might look at is the question [of] why is it that companies feel that they need to have so much information in the first place”.

Retaining less data would make breaches less attractive, but would involve looking at the trade-off between customer safety and national security.

That balance “is something we need to look at”, Dreyfus said, indicating that there would be consultation with the Independent National Security Legislation Monitor Grant Donaldson.

Source –